Deployment Architecture

Setting up Deployment Server to manage multiple instances on a single server

ShaneNewman
Motivator

Just to explain why I have to do this...

Rack space is at a premium where I work so we had to consolidate our footprint in the data center. I have successfully consolidated 14 physical indexers to 7 physical indexers with 2 instances of Splunk running on each server. Specs for those Indexing servers are:
OS: Linux Red Hat
CPU: 16-core 3.2 GHz
RAM: 128GB
HDD: SAN attached, 3 mounts per instance at 3500 IOPS per mount

I am trying to setup the serverclass.conf file to manage the instances on the indexers separately because the mount points for the indexes are different based on the instance name. How can I do this? I have read the serverclass.conf documentation and cannot find it documented in there anywhere...

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Are you asking how to distinguish two instances on the same machine?
If so, set a clientName each in deploymentclient.conf and refer to that in your serverclass.conf - those are matched first.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Are you asking how to distinguish two instances on the same machine?
If so, set a clientName each in deploymentclient.conf and refer to that in your serverclass.conf - those are matched first.

jrodman
Splunk Employee
Splunk Employee

As a footnote, I would strongly encourage setting the etc/system/local/server.conf serverName= of one of the two to be different from the other, and consider also differentiating etc/system/local/inputs.conf host= (unless you really want to make data from both systems indistinguishable).

ShaneNewman
Motivator

I have already done these things. The Universal forwarder is part of our Linux image so all system data comes in through that route. The server.conf have the images setup in this fashion: serverName = host_instance. The indexers only receive data from Splunk UF's, each instance is listening on a different port so an inputs.conf entry should not be necessary.

0 Karma

ShaneNewman
Motivator

That is exactly what I needed to know! Thank you for responding so quickly!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...